Cisco Firewall :: ASA-5520 - Auto-Save The Connections Detail And Xlate

Oct 10, 2012

I have the ASA5520, everyday I have a lot of connections through my ASA5520. But buffer in ASA5520 to save connections is limited. Now, I want my ASA can auto save the conn detail and Xlate to my Syslog server, how can i do that?

View 3 Replies


ADVERTISEMENT

Cisco Firewall :: PIX 520 / All Xlate Connections Used Within Hours?

Jan 15, 2008

I have a strange problem which looks to me like a DOS attack from the inside..but I cant be sure.
 
Symptoms:

All xlate connections used within hours.

Xlate connections start with all our servers across our WAN before moving onto  all workstations.

No viruses have been found.

Looked in syslog and I cant find one single outside IP that seems to be a possible source. 

View 7 Replies View Related

Cisco Firewall :: 5520 - Failover ASA LU Allocate Xlate Failed

Oct 10, 2011

we have two ASA 5520, on the failover unit is showing LU allocate xlate failed. We read on [URL] that it could be a memory problem , but have cheked it and we have 85% of memory free on both nodes. We also can see  all xlate on failover unit.
 
We have forced failover this evenig and we can´t stablish outbound connexions by outside interface, we think xlates or nat cant work properly.

View 5 Replies View Related

Cisco :: ASA 5520 - LU Allocate Xlate Failed / Failover Unit Reloads

Mar 24, 2010

We just had an issue with our failover unit reloading. In perusing the logs there were a number of %ASA-3-210007:
LU allocate x late failed, errors prior to the reload. These units had just had their OS upgraded to fix a DOS issue a few weeks ago. I have not seen the error since it reloaded. However, I was asked to report the issue just in case it is a bug in the new version of the OS.Two units in failover. 
 
Cisco Adaptive Security Appliance Software Version 8.0(5)9 Device Manager Version 6.0(2). Compiled on Mon 01-Feb-10 10:36 by buildersSystem image file is

"disk0:/asa805-9-k8.bin"Config file at boot was "startup-config"  
CP-ASA up 17 days 21 hoursfailover cluster up 17 days 22 hours
[code]....

View 1 Replies View Related

Cisco Firewall :: Show Active TCP Connections In ASA 5520?

Jun 5, 2013

how many active TCP sessions my ASA has but having a hard time finding this information.  When I do "show conn count" from the CLI it shows what I'm guessing is a sum of both TCP and UDP.  Is there any way to get just the TCP connections?

View 3 Replies View Related

Cisco Firewall :: ASA 5520 ACL Established Connections Configurations

Jan 16, 2012

I have one ASA5520 with version 8.4(3), and a few ACL rules defined. One ACL is permit traffic from one interface(EXT_SERVICE) to another interface(DMZ_SERVICE), if i change that rule to deny traffic, all new connections that match the rule is denied, but no the established connectios. ¿Why the established connections can pass the deny rule? ¿How I can change that? I need create a ACL with deny type and stop all comunications that is running and match the deny rule.

Running-config of my ASA5520:

ciscoasa# show run
: Saved
:
ASA Version 8.4(3)
!
hostname ciscoasa
enable password 8ay2wjIyt7RRXU24 encrypted passwd 2wFQnbNIdI.2KYtU encrypted names !
interface GigabitEthernet0/0
[Code] ........

View 9 Replies View Related

Cisco Firewall :: Disable Xlate In ASA 8.1?

Feb 6, 2012

Do you now if it is possible to disable the xlate for some connection?
 
The ASA has some concurrent session limitation that, I think, is related to xlate connections.
 
As my firewall is not performing any kind of NAT, is it possible to disabe xlate for some connections.
 
I saw some options like nat exemption, but i not sure if the xlate still being create even if we don't have a NAT translation.

View 3 Replies View Related

Cisco Firewall :: ASA 5520 Default Inspection Engine Dropping Connections

May 25, 2011

I currently have the default inspection engine configured in my firewall to inspect http traffic.  I noticed that the ASA will drop packets when visting legitimate websites.  I've tried googling for a workaround but have been unsucsselful.  How can I exclude some websites or IP's from being affected by the inspection engine?

View 1 Replies View Related

Cisco Firewall :: What Is The Impact Of Disabling Xlate In FWSM 4.0.8

Nov 27, 2011

What is the impact of disabling xlate in FWSM
 
We have dynamic NAT configured from inside to outside interface, but still it is showing NAT entry as below.
 
"NAT from inside:177.26.99.10 to outside:177.26.99.10 flags Ii"
 
Expected NAT entry should as below :
 
"NAT from inside:177.26.99.10 to outside:111.111.111.111 flags Ii"
 
We were considering implementing "ip verify revert-path" .Hence here i am thinking whether xlate-bypass is the issue here and implementing same with "ip verify revert-path" woud be a good idea.

View 1 Replies View Related

Cisco Firewall :: ASA 5510 - Show Local-host All Detail Connection / Timeout

Nov 28, 2012

Version: Cisco ASA 5510 8.4(4)1

I've installed cisco asa 5510.

When I "show local-host all detail connection "

Normal situation:

105 myfailover:10.255.255.2/0 NP Identity Ifc:10.255.255.1/0,
idle 0s, uptime 1D14h, timeout 2m0s, bytes 18196822

But I got this output ( timeout - )

[URL]

View 0 Replies View Related

Cisco Firewall :: ASA 5505 8.2 (1) Is Rebooting After High Xlate Usage?

Feb 26, 2012

I have ASA that just started to reboot through out the day yesterday. It seems to happen every few hours but not in a pattern.Right before it reboots there is a flood of sys log id 305006 messages "portmap translation creation failed for tcp src inside:xxx dst outside:xxx the xlats go from around 2-3k to about 30+k then crash.Memory ussage is already pretty high normally on this device (about %75 used) CPU is around %15-20 I notice that the portmap translation errors are always from 3 inside host.

View 4 Replies View Related

Cisco Firewall :: ASA5510 - LU Allocate Xlate Failed / Add More Memory

Sep 13, 2011

I got an asa5510. After problems with ipsec connections the log said :
 
LU allocate xlate failed this error repeats every minute. At the cisco site i found the following :
 
explantion : stateful failover failed to allocate a translation (xlate) slot record recommended Action : check the available memory by using the show memory command to make sure that the security appliance had free memory in the system. If no memory is available, add more memory
 
But when i do there is free memory. (about 54%)
 
What can i do to fix this ?

View 2 Replies View Related

Cisco Firewall :: How To Schedule Automatic Xlate Sessions Cleaning In ASA5550

Jan 27, 2013

How to schedule automatic Xlate sessions cleaning in ASA5550.  I want to clear few global nat sessions manually every week.Is there any way to automate that?

View 1 Replies View Related

Cisco Firewall :: FWSM 3.2 Can Not Show Sessions In Xlate Between Two Specific Vlans

Dec 23, 2012

I have FWSM running version 3.2(23) , configured with interface vlans , all having the same security level , except outside interface vlan which has security level 0 , also same-security-traffic permit inter-interface and same-security-traffic permit intra-interface are configured, my problem is when establishing sessions (I tried TCP only using ssh and telnet , in addition of ping ) from one specific vlan (172.16.1.0/28)  to other vlan (172.16.1.16/28) , I can not see the established sessions  in "show xlate debug" output ! although I can see these sessions from capture !  the two subnets are separate , two different /28.
 
I can see the session established from the remaining interface vlans with same security level toward  172.16.1.16/28 , my question is what is the exception with vlan having this subnet172.16.1.0/28, how it can reach other vlan with subnnet 172.16.1.16/28 without showing anything in xlate table ? do you thing it is bug ?

View 3 Replies View Related

Cisco Firewall :: Unable To Save Config In ASA 5505?

Sep 26, 2012

I have ASA 5505 and I save the configuration in the ASA 5505  using write memory or using copy run start but whe i unplug the power  cord and plug it back in the ASA gets its factory default configuration.

View 8 Replies View Related

Cisco Firewall :: Save Command Output To Flash On ASA 8.4?

May 28, 2012

How do you save the command output from the CLI  to a file on flash?
 
With IOS, I would normally use a pipe command to redirect to tftp, but the ASA doesn't support this as far as I can tell. As a work around I was thinking I could save the output to flash and then tftp that file off the ASA.

View 5 Replies View Related

Cisco Firewall :: ASA 5510 Cannot Save Flash To Disk0

Feb 1, 2012

I deleted the flash from an ASA5510. I was able to tftp a version back into the device, but cannot seem to correctly have the box boot from this flash. I get the following error:
 
!WARNING: BOOT variable added, but not a valid image disk0: /asa831-k8.bin
*** Output from config line 41,"boot system disk0:/asa83..."
 
I have tried every save syntax i can think of to save this flash, but have yet to have it boot with an image ( I keep booting into ROMMON and have to tftp the image back in)

View 5 Replies View Related

Cisco VPN :: ASA 5520 - Monitoring SSL Connections

Sep 12, 2012

On the ASA5520 we would like to create a report that gives us trending over 6 monthes for the amount of people logged in via the SSL VPN and for how long. Is there a way to do this on the ASA5520? Does it have this ability? Could I do this in SolarWinds? My boss mentioned a software package that Cisco has that will show a history - is this correct?

View 1 Replies View Related

Cisco :: LMS 3.2 - Polling Detail In IPM Reports

May 1, 2012

We use LMS 3.2 with the latest patches. In IPM we have a couple of collectors (availabilty latency etc) and reports for our customers.

The polling interval for all collectors are working hour 7:30 - 18:00 Mo - Fr.

Unfortunately the polling detail is not included in the PDF report. Is there a way to include this information in the report.

View 1 Replies View Related

Cisco VPN :: VPN Connections Fail When ASA 5520 Running IOS 8.41?

Sep 20, 2011

I have an ASA 5520 running, user web trafic, incoming VPN and systems NAT for DMZ services. Nothing new for a standard firewall.  I have upgraded the memory in it to 2GB, per Cisco so that I could install and run IOS 8.41.  I have uploaded the both the IOS bn image and the ASDM 645 image and set it as the primary boot file. When I reload the ASA, everything boots fine, no errors and all traffic appears to be working fine.But here is my problem:ALL the previously configured VPN sessions will connect to the ASA and show that they are passing traffice (TX and RX increments through the monitor) but if I try to access a device on the other side of the VPN or they try to access services in the corporate network, the connection fails.  Ping works, So I know I can reach the devices and the tunnel has been correctly created, but nothing else, .  I did not change anything in the configurations for the VPN connectors.But, if I reload the ASA with the 8.21 version image, everything works just as before and all connections are good.

View 3 Replies View Related

Cisco :: WS-C2960-24PC-S - How To Know Detail P/N On Switch

Oct 5, 2011

I would like to ask you that how can i know detail P/N on switch WS-C2960-24PC-S I want to know detail  what is PC-S and some swith LC-S

View 2 Replies View Related

Cisco WAN :: 5520 - Active / Passive ASA With Redundant ISP Connections

Apr 25, 2012

Currently we are using a single connection to our ISP and in the coming months will be moving to a two seperate connections (to same ISP). In our current setup we utilize active/passive ASA's (5520, single context) and would like to utilize that going forward as well, the reason being is our DMZ's all hang off of these ASA's and we have fiber connectivity between our datacenters.Our main datacenter and DR Datacenter are basically one big LAN with fiber between them, so we have our DMZ networks at both locations currently with both terminating in our ASA's. That way if the ASA at our current site fails the DMZ's are still accessible via the secondary firewall at our DR facility.

View 1 Replies View Related

Cisco VPN :: 5520 Remote Site To Internet Connections

Jan 13, 2012

I have a remote office that currently connects back to a Central data center via Site to Site VPN.  I am bringing up a 2nd internet connection as a fall back in the Remote Office.  How do I configure the Site to Site VPN to work correctly so that if the primary internet connection goes down, the site fails over to the secondary? On Remote the internet connections are from different providers so they have completely different blocks of public IPs.

Central
ASA 5520 8.0(4)
Gig 0/0 Public IP

Remote
ASA 5520 8.4(1)
Gig 0/0 Public IP
Gig 0/3 Public IP (2nd internet)

View 1 Replies View Related

Cisco :: Performance Degradation From Using Debug Ip Packet ACL Detail?

Apr 5, 2012

I'm troubleshooting one way audio with our anyconnect phones.I think it is a routing issue.typically I wouldnt run debug ip packet detail on a production router, however I just found out that you can use acl's to specify the traffic to be debugged.

R1(config)#access-list 199 permit tcp host 10.1.1.1 host 172.16.1.1
R1(config)#access-list 199 permit tcp host 172.16.1.1 host 10.1.1.1
R1(config)#end
R1#debug ip packet 199 detail
IP packet debugging is on (detailed) for access list 199

The use of debug commands requires the allocation of system resources like memory and processing power and in extreme situations can cause a heavily-loaded system to stall. Use debug commands with care. Use an ACL in order to selectively define the traffic that needs to be examined to reduce the impact of the debug command. Such a configuration does not filter any packets.

View 6 Replies View Related

Cisco VPN :: 5520 Active Monitoring Of Remote Access Vpn Connections

Apr 14, 2012

I am using asa 5520 and asa 5540 for remote access vpn connections. Is it possible to do active monitoring of my vpn connections so that there would be alerts for vpn tunnels that fail to establish due to other reasons other than user authentication?

View 5 Replies View Related

Cisco Firewall :: 5505 - VPN Client Is Not Set To Auto Reconnect

May 6, 2013

I am working with a small off that has a 5505 acting as a basic firewall.  Behind it are off-the-shelf unmanaged switches.  Two users have to work with an outside vendor and are having issues.  They have a Sonicwall remote VPN client on each of their desktops and use this to connect to the vendor.  They then RDP into VMWare-based Windows 7 desktops at the vendor's site to do their work.  Randomly throughout the day (6-10 times per day) while they are actively working the RDP session will disconnect.  It will auto-reconnect after a few seconds.  The VPN log on the clients never show any issues.  I believe this is an RDP problem because while the RDP session is disconnecting, their VPN client is not (it is set to NOT auto-reconnect if it gets disconnected so that I will know for sure if it gets disconnected).  I don't see anything in the ASA's logs about denying connections involving their PCs and the remote VPN peer IP. 

View 7 Replies View Related

Cisco Switching/Routing :: 494810ge - Counters Detail By SNMP?

Dec 5, 2012

Ive got a 494810ge switch, and this parameters are important for me:
 
sh int gi 1/4 counters detail
  Port                InBytes       InUcastPkts      InMcastPkts       InBcastPkts
Gi1/4       252819467437788      173264735013            10827               760
  Port               OutBytes      OutUcastPkts     OutMcastPkts      OutBcastPkts
Gi1/4        36657317030233      280590958051          5248439           5443194
  Port              InPkts 64        OutPkts 64    InPkts 65-127    OutPkts 65-127
Gi1/4             558420918      205564441592       2627477631       60865368994

[code]....

Some parameters i can get by snmp (InBytes,InUcastPkts,InMcastPkts, and so on from out), but how can i take other parameters? I would like to do it by snmp but i did not find proper oids. Now I making a sheme like this: eem every 90 seconds takes this info and writes it down to file into nvram and then send it by scp to server, where file is processed by monitoring system script. It is not very good, cause cisco system cpu sometimes spikes of this and i dont know a resourse of nvram, how much times can i write to it?

View 2 Replies View Related

Cisco Firewall :: Does ASA 5510 Support No Auto-summary And CIDR

Sep 19, 2011

if I can do the following deployment using a Cisco ASA5510 security plus.
 
At this moment I have two interfaces in use one (outside) with the IP: 172.16.21.254/24 and the other (inside) with the IP: 192.168.4.1/24. Now the customer needs to connect another network that works with the IP segment: 192.168.0.0/22.
 
The IP segment 192.168.0.0/22 goes from 192.168.0.1 to 192.168.3.254 that means that there is no a overlap with the network segment 192.168.4.0/24. My question is: If I configure another interface in the ASA that works in the segment 192.168.0.0/22 the routing table will auto-summary the network and merge it with the network 192.168.4.0 or will it leave the networks apart??
 
I don't user dynamic routing protocols but I cannot do the changes if I have doubts because the network 192.168.0.0/22 is a the Network for the Factory Automation Systems.

View 1 Replies View Related

Cisco Firewall :: ASA 5510 - Website Connection Auto Timeout After 5 Minutes

Oct 15, 2011

Our client tried to a download a real time generated file from a website, the generation process around 5 mins, after 5 mins, the file will be started to download
 
When my client direct connect to internet, the file can be download successfully, but when pass through the ASA 5510 and using the internal IP address, a message something like "Are you sure want to logout from this web page?" appears in Safari after 5 mins, i think the time of the error message appear when a "you can start to download" message send from the server to client, the page session timeout so that make the user cannot download the file from internet as the session is not vaild.
 
I couldn't find any timeout setting in "show runn", is it possible the setting in ASDM? how can I find it and configure it?

View 5 Replies View Related

Cisco Firewall :: Different Between ASA-5520-K9 And ASA-5520-K8

Nov 2, 2012

We were using ASA-5520-K9 with  ASA-SSM-AIP-20-K9 but recently found some hardware problem in our running ASA. Now cisco want to replace with ASA-5520-K8.

View 1 Replies View Related

Cisco Firewall :: 1921 - IOS Firewall (ZBF) Limit SMTP Connections From Same IP

Mar 14, 2013

IOS Firewall (ZBF) Limit SMTP connections from same IP
 
we are running a Postfix MTA behind a IOS Firewall (ZBF) on a CISCO1921. Sometimes we get more than 2000 smtp login attemps like
 
postfix/smtpd[123456]: connect from (...) (...) postfix/smtpd[123456]: lost connection after AUTH from (...)
 
in one second. May be bruteforce or DoS ... nevertheless - we like to protect the Postfix MTA from this stuff.
 
Can we inspect the smtp and limit connections in a time period from the the same IP? Something like "not more than 10 smtp connections during 60 seconds from the same ip" .

View 8 Replies View Related

Cisco Wireless :: 4400 / Track Login Detail And Visited Web Site On Public Wireless Network?

Oct 4, 2012

I am looking a solution to track login detail and visited web site on our public wireless network.We are using Cisco Wireless LAN controller 4400 series.

View 3 Replies View Related

Cisco Firewall :: Upgrade From 5505 To 5520 On Network - ASA Firewall Throughput

Feb 27, 2013

I'd like to see some REAL LIFE comparisons of ASA firewall throughput (a bit like this one for ISR G2 Routers - [URL].
 
The reason I ask is that I recently upgraded a firewall from an ASA5505 to an ASA5520 on a small network where the only outside connectivity was a single 10meg Internet circuit with an IPSEC VPN (not landed on the firewall but on a router) to another site.
 
When I swapped out the firewall the users noticed a big improvement. The firewall is not doing anything out of the ordinary - no IPS or VPN, just standard state full inspection.

View 5 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved